Bug #2341

Method REPORT any errors returns status 501 (Not Implemented)

Added by sinoptik about 3 years ago. Updated about 3 years ago.

Status:FixedStart date:2011-09-05
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:-
Target version:1.4.30
Missing in 1.5.x:No

Description

If on Webserver on mod Auth (mod_auth) and you try request with method REPORT but wit not authorization you get status 501 instead of 401 (Not Unauthorized)
curl 192.168.0.1 -X REPORT (Return 501 instead of 401)
or
if you want to request to a nonexistent url (file) you get status 501 instead of 404 (Not Found)
curl 192.168.0.1/nonexistent.html -X REPORT (Return 501 instead of 404)

Associated revisions

Revision 2804
Added by stbuehler about 3 years ago

Don't overwrite 401 (auth required) with 501 (unknown method) (fixes #2341)

History

#1 Updated by icy about 3 years ago

  • Status changed from New to Invalid

Why should it respond with something else than 501 if it does not understand the method?
The behavior is completely fine.

#2 Updated by sinoptik about 3 years ago

icy wrote:

Why should it respond with something else than 501 if it does not understand the method?
The behavior is completely fine.

I think the first need check for a file or authorization and send different errors status instead of one, it will be more informative.

p.s.
I want to move my project from apache (in apache return 404 abd 401) to lighttpd but this thing blocked me.

#3 Updated by icy about 3 years ago

Well I don't agree. The method specifies how the webserver handles the given request. Why should it check if a file exists and then decide how to handle it? It makes no sense. There can be methods that create content and don't request it, how would you handle this case?
So again, the current behavior is fine.

#4 Updated by stbuehler about 3 years ago

if a server doesn't understand a method, a 404 is definitely not appropriate (for example, 404 for PUT would be plain stupid).

But i guess mod_auth should probably trigger for all methods, as some module other than static file could handle it if mod_auth let it through.

If my understanding of the current status is correct, mod_auth does trigger a 401, but it gets overwritten in connections.c:453 with 501.

Setting con->mode = p->id instead of DIRECT in mod_auth.c line 278 should fix it.

#5 Updated by stbuehler about 3 years ago

  • Status changed from Invalid to Reopened
  • Target version set to 1.4.30

Hm, con->mode is not good either. I think i fixed it in current svn (coming soon).

#6 Updated by stbuehler about 3 years ago

  • Status changed from Reopened to Fixed
  • % Done changed from 0 to 100

Applied in changeset r2804.

Also available in: Atom